New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 756408 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::LayoutSelection::Commit

Project Member Reported by ClusterFuzz, Aug 17 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4529134880686080

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::LayoutSelection::Commit
  blink::LayoutView::CommitPendingSelection
  blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=494993:495051

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4529134880686080

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 17 2017

Labels: OS-Android
Project Member

Comment 2 by ClusterFuzz, Aug 20 2017

Labels: OS-Linux
Components: Blink>Layout

Comment 4 by e...@chromium.org, Aug 22 2017

Components: -Blink>Layout Blink>Editing
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
https://chromium-review.googlesource.com/616374 is the most likely culprit in regression range.

Other candidates include:
https://chromium-review.googlesource.com/615846
https://chromium-review.googlesource.com/612754

Comment 5 by yosin@chromium.org, Aug 23 2017

Owner: yoichio@chromium.org
Could you take look?
It seems <select id="htmlvar00011"><optgroup id="htmlvar00013"></select>
causes nullptr in EphemeralRangeInFlatTree::Nodes().

Comment 6 by yosin@chromium.org, Aug 23 2017

Issue 756467 has been merged into this issue.
Project Member

Comment 7 by ClusterFuzz, Aug 23 2017

Labels: OS-Windows

Comment 8 by tkent@chromium.org, Aug 23 2017

Cc: yoichio@chromium.org
Components: Blink>Forms>Validation
Owner: tkent@chromium.org

Comment 9 by yosin@chromium.org, Aug 24 2017

Issue 757362 has been merged into this issue.

Comment 10 by tkent@chromium.org, Aug 24 2017

Status: Started (was: Assigned)
Cc: msrchandra@chromium.org
 Issue 758145  has been merged into this issue.
Project Member

Comment 12 by ClusterFuzz, Aug 24 2017

ClusterFuzz has detected this issue as fixed in range 496835:496881.

Detailed report: https://clusterfuzz.com/testcase?key=4529134880686080

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::LayoutSelection::Commit
  blink::LayoutView::CommitPendingSelection
  blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=494993:495051
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=496835:496881

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4529134880686080

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Aug 24 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 4529134880686080 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 14 by tkent@chromium.org, Aug 24 2017

Status: Started (was: Verified)
We haven't landed the fix yet :)

Project Member

Comment 15 by bugdroid1@chromium.org, Aug 25 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9323a73cb8d48e164e284871aee7686baaba2825

commit 9323a73cb8d48e164e284871aee7686baaba2825
Author: Kent Tamura <tkent@chromium.org>
Date: Fri Aug 25 05:52:32 2017

Do not trigger layout inside HTMLFormControlElement::SetNeedsValidityCheck().

SetNeedsValidityCheck() can be called in the middle of a DOM mutation,
and the default ValidationMessageClient::ShowValidationMessage() called
in HTMLFormControlElement::UpdateVisibleValidationMessage() triggers
force layout. We avoid it by calling UpdateVisibleValidationMessage()
later.

Bug:  756408 
Change-Id: Ic658652bc851e27d5eeb9496e211100fa091e372
Reviewed-on: https://chromium-review.googlesource.com/630418
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497332}
[modify] https://crrev.com/9323a73cb8d48e164e284871aee7686baaba2825/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/9323a73cb8d48e164e284871aee7686baaba2825/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Comment 16 by tkent@chromium.org, Aug 25 2017

Status: Fixed (was: Started)

Sign in to add a comment